Workshops List


DEF CON Workshops

Longer, more detailed, hands on, lasting half a day.
These have limited seating.
These fill up VERY quickly!
Workshop Registration Opened July 5 Noon PDT. All of these are Sold Out!

DEF CON All Workshops Forum page



Sold Out – Adrian Wood, David Mitchell – Creating and uncovering malicious containers Redux

Workshop DC Forum Page


Title: Adrian Wood, David Mitchell – Creating and uncovering malicious containers Redux

Scheduled Date and Time (Pacific Standard): Saturday, August 12, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/adrian-…=oddtdtcreator

Max Class Size: 90




Abstract:

Containers allow bad actors access to an excellent delivery mechanism for malware deployment in organizations, offering a wide variety of detection avoidance and persistence mechanisms. Fear not protectors, containers also offer ways to detect these, but can be fraught with challenges. Whether you’re red, blue or just container curious this workshop is for you.

In this workshop, you will get hands-on with containers and kubernetes, – starting with introductory content – learning how they work, where and how to hide or find things, how to identify indicators of compromise, indicators of attack, and how to apply analysis to gain a deeper understanding of container malware and what is going on inside containers.

This workshop will utilize the Google Cloud Platform alongside command line operands and a small amount of open source tooling to learn both offensive and defense techniques on containers. By the end, you’ll have a solid mental model of how containers work, how they are managed and deployed, and be equipped with the ability to analyze container images, identify problems, attack container supply chains and identify familiar patterns. Ultimately, these skills will allow you to generate valuable insights for your organization’s defense or aid you in your next attack.

This course is designed to take you deep into the world of containers, making tooling like Kubernetes much more intuitive and easy to understand.There’s lots of labs which will be used to reinforce your learnings,in both attack and defense and the course comes with very detailed notes and instructions for setup which you can repeat on your own time. This course will provide references to scripts that make certain tasks easier, but we will be challenging you to learn the process and reasoning behind them rather than relying on automation.

Attendees will be provided with all the lab material used in the course in digital format, including labs, guides and virtual machine setup.




Skill Level: Beginner to Intermediate

Prerequisites for students: None! the class is well designed to allow those with little to no linux, kubernetes or cloud familiarity to follow along, but a basic familiarity with Linux and terminal will allow attendees to focus on the work.




Materials or Equipment students will need to bring to participate: A Google Cloud free tier account (basically a fresh gmail account), and an internet connected computer. We will send out instructions to attendees prior to the class, so they can be ready on the day.




Bios:

Adrian Wood, aka threlfall, discovered a love for hacking from cracking and modding video games and from the encouragement of online friends. He has worked as a red team consultant for WHITEHACK, a company he founded, and later as a lead engineer for an offensive research team at a US bank, where he was very interested in appsec, container security, CI/CD security and also founded their bug bounty program. He currently works for Dropbox, working on their red team. In his free time, he enjoys playing saxophone, working on vintage cars, and fly-fishing.




David Mitchell, aka digish0, started his hacking career as a script kiddie running 7th Sphere in mIRC in high school. Later falling in with some Linux/RedHat nerds at a local 2600 group at college while studying CS, etc. He got into Linux, started an IT career, later rediscovering his hacking script kiddie roots when a local hacker space opened up and shared members with a lockpicking group that worked in infosec as penetration testers, etc where he discovered he could get paid to do the things he liked doing in high school/college. He now works professionally as a red team member and cyber security researcher at a large financial institution. The rest of the time he spends being a dad/husband, trying not to get injured in Muay Thai/BJJ or mountain biking, and listening to either very expensive or very cheap vinyl.
​ Starts August 12, 2023 09:00 Ends August 12, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Angus Strom, Troy Defty – Flipping the Coin: Red and Blue Teaming in Windows Environments

Workshop DC Forum Page


Title: Angus Strom, Troy Defty – Flipping the Coin: Red and Blue Teaming in Windows Environments

Scheduled Date and Time (Pacific Standard): Thursday, August 10, 2023, at 1400-1800 PDT

EventBrite Link: https://www.eventbrite.com/e/angus-s…=oddtdtcreator

Max Class Size: 40




Abstract:

Red and blue are two sides of the same coin. Offensive and defensive teams deliver the best results when working together; sharing knowledge, ideas, and understanding with each other. And a core part of this information exchange is understanding each respective perspective. This is the overarching theme of the workshop; attackers thinking like defenders, and defenders thinking like attackers.

By the end of the workshop, attendees will:

1. Understand and perform common offensive attacks (supported by the Metasploit Framework) against Windows Domains, including:
  • Pass the Hash attacks;
  • ADCS abuse;
  • PrintSpoofer exploits;
  • LSASS exploitation (using Mimikatz);
  • AD enumeration (using BloodHound);
  • DACL abuse;
  • Kerberos golden tickets; and
  • DLL hijacking.

2. Understand the process of detecting attacks against Windows infrastructure, including how to design and implement their own detection rules based on attendees’ previous attacks, using:
  • Sigma/Yara rules.
  • Log ingestion/normalization platforms, and query engines (e.g. ELK).

3. Understand and appreciate how the actions and processes of red and blue teams are interlinked, for the greater collective good. Recommended (but not required) prior reading:



Skill Level: Beginner to Intermediate

Prerequisites for students:

Basic understanding of the Linux and Windows command line, and some basic knowledge of IP networking and routing. A basic understanding of Active Directory and exposure to the Metasploit Framework/Meterpreter are beneficial, but not required.




Materials or Equipment students will need to bring to participate:

Laptop, 8GB RAM, OpenVPN Client, Remote Desktop Protocol (RDP) client. It is strongly recommended that attendees have local administrative rights to their device.

An Internet connection is also required; DEF CON’s (authenticated) WiFi network will suffice, however attendees should consider alternative options in favour of resiliency (e.g. tethering/hotspotting cell phones).




Bios:

Angus (0x10f2c_) is currently a Senior Security Engineer working at a tech company. He obtained a love for all things computers by scavenging computer parts from local garbage pickups as a kid, and then trying to make them work together without blowing up. Angus eventually realised that a career could be made out of his skills hacking together poorly written LUA code in Garry’s mod, and finished a Bachelors in Network Security. In his professional career Angus has 5+ years working in Security Consulting, working across many industries and gaining many shells. More recently Angus has made the move to a security engineer focused role. When not hacking he loves to ski on the little snow that Australia has, and loves to paint small miniatures while listening to Drone Metal.




Having worked in the UK and Australian InfoSec industries for just over a decade, and following 8 and a half years of red teaming, Troy jumped the proverbial fence from red to blue, and is currently a Security Engineering Manager at a tech company. His interest and experience is in detection engineering, red teaming, threat modelling, hardware, and assessing ICS environments. Other interests include music, electronics, the outdoors, travel, rugby, CTF, and being bad at golf.
​ Starts August 10, 2023 14:00 Ends August 10, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Anthony Rose, Gannon “Dorf” Gebauer, Vincent "Vinnybod" Rose – Snakes on a Screen: Taming…

Workshop DC Forum Page

Title: Anthony Rose, Gannon “Dorf” Gebauer, Vincent "Vinnybod" Rose – Snakes on a Screen: Taming Offensive IronPython Techniques
Scheduled Date and Time (Pacific Standard): Friday, August 11, 2023, at 0900 PDT
EventBrite Link: https://www.eventbrite.com/e/anthony…=oddtdtcreator
Max Class Size: 80

Abstract:
IronPython is a powerful and flexible programming language that has been increasingly used by attackers due to its ability to bypass security controls. This practical workshop will explore the inner workings of IronPython and its unique features that enable sophisticated offensive techniques. Participants will gain hands-on experience in developing IronPython payloads that can evade modern security controls and execute malicious code on target systems.
The workshop will cover the following topics:
1. Introduction to IronPython: Basic syntax and usage of IronPython, and how it can be used in offensive scenarios.
2. BYOI and DLR: Bring Your Own Interpreter (BYOI) and Dynamic Language Runtime (DLR) concepts and their role in developing offensive payloads.
3. Malware Development with IronPython: Develop sophisticated payloads that can bypass modern security controls and execute malicious code on target systems.
4. Anti-Forensics and Evasion Techniques: Techniques to make the payloads more resilient to forensic analysis and detection.
5. Advanced Techniques: Advanced techniques like using IronPython with C# and PowerShell and integrating the payloads with other offensive tools.
This workshop is designed for offensive security professionals, red teamers, penetration testers, and anyone interested in exploring the capabilities of IronPython for offensive purposes. Participants should have a basic understanding of Python and programming concepts. By the end of the workshop, participants will have a deeper understanding of IronPython and its capabilities for developing offensive payloads.

Skill Level: Intermediate
Prerequisites for students: A familiarity with python is preferred, but not required.

Materials or Equipment students will need to bring to participate: Laptop with Windows or other Windows VM

Bios:
Anthony "Coin" Rose, CISSP, is the Director of Security Researcher at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, HackSpaceCon, HackMiami, and RSA conferences. Anthony is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/ .

Gannon “Dorf” Gebauer is a Security Consultant at BC Security and specializes in threat intelligence and embedded system testing. He has led teams through the Cyber Patriot, a USAF CTF that tests both defense and offensive capabilities. Currently, his expertise is focused on building automation tools for range deployments. Dorf has taught courses at both, Blackhat and DEF CON.

Vincent "Vinnybod" Rose is the Lead Developer for Empire and Starkiller. He is a software engineer with a decade of expertise in building highly scalable cloud services, improving developer operations, and building automation. Recently, his focus has been on the reliability and stability of the Empire C2 server in the most recent major update (Empire 5). Vinnybod has presented at Black Hat and has taught courses at DEF CON on Red Teaming and Offensive PowerShell. He currently maintains a cybersecurity blog focused on offensive security at https://www.bc-security.org/blog/ .


​ Starts August 11, 2023 09:00 Ends August 11, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Arnaud SOULLIE, Alexandrine TORRENTS – Pentesting Inductiral Control Systems: OCP-U-HACK

Workshop DC Forum Page


Title: Arnaud SOULLIE, Alexandrine TORRENTS – Pentesting Inductiral Control Systems: OCP-U-HACK

Scheduled Date and Time (Pacific Standard): Thursday, August 10, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/arnaud-…=oddtdtcreator

Max Class Size: 40




Abstract:

Let’s capture the flag, literally! In this workshop you’ll participate in an engaging CTF during which you’ll take control of a robotic arm to capture a real flag on a model train!




To do so, we’ll start with an introduction to Industrial Control Systems to discover the specific components, the network architectures, and even program a PLC simulator.




We’ll then discover some ICS-specific protocols, with a focus on OPC-UA, a modern ICS protocol.




Finally, you’ll connect to our ICS setup composed of real ICS hardware and software and compete against other attendees to capture the flags with robotic hands!




Skill Level: Beginner

Prerequisites for students: No specific knowledge is required




Materials or Equipment students will need to bring to participate: Students should have a laptop capable of running 64-bits virtual machines




Bio:

Arnaud Soullié (@arnaudsoullie) is a Senior Manager at Wavestone, a global consulting company. For 12 years, he has been performing security assessments and pentests on all types of targets. He started specializing in ICS cybersecurity 10 years ago. He spoke and taught workshops at numerous security conferences on ICS topics : BlackHat Europe, BruCon, CS3STHLM, BSides Las Vegas, DEFCON… He is also the creator of the DYODE project, an open­source data diode aimed at ICS. He has been teaching ICS cybersecurity training since 2015.




Alexandrine Torrents is a cybersecurity expert at Wavestone. She started as a penetration tester, and performed several cybersecurity assessments on ICS. She worked on a few ICS models to demonstrate attacks on PLCs and developed a particular tool to request Siemens PLCs. Then, she started working at securing ICS, especially in the scope of the French military law, helping companies offering a vital service to the nation to comply with security rules. Now, Alexandrine works with different industrial CISOs on their cybersecurity projects: defining secure architectures, hardening systems, implementing detection mechanisms. She is also IEC 62443 certified and still performs assessments on multiple environments.



​ Starts August 10, 2023 09:00 Ends August 10, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Chris Greer – Hands-On TCP/IP Deep Dive with Wireshark – How this stuff really works

Workshop DC Forum Page


Title: Chris Greer – Hands-On TCP/IP Deep Dive with Wireshark – How this stuff really works

Scheduled Date and Time (Pacific Standard): Saturday, August 12, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/chris-g…=oddtdtcreator

Max Class Size: 80




Abstract:

Let’s break out Wireshark and dig deep in to the TCP and IP protocols. This skill is critical for anyone interested in any area of cybersecurity, no matter the color of the hat. Almost all enumeration, scans, incident response, and traffic forensics require the analyst to dig into and interpret TCP conversations. When enumerating an environment, identifying key TCP/IP indicators in protocol headers can also help when passively fingerprinting systems.




In this workshop we will roll back our sleeves and learn how TCP/IP really works – the handshake, options, sequence/ack numbers, retransmissions, TTL, and much more. This workshop welcomes all cybersecurity and wireshark experience levels.




Skill Level: Beginner to Intermediate

Prerequisites for students: Just a laptop with a copy of Wireshark. I will provide the sample pcaps for analysis.




Materials or Equipment students will need to bring to participate: Laptop




Bio:

Chris Greer is a network analyst and Wireshark instructor for Packet Pioneer, a Wireshark University partner. He has focused much of his career at the transport layer, specifically TCP, specializing in how this core protocol works to deliver applications, services, and attacks between systems. Chris is a regular speaker at Sharkfest – the

Wireshark Developer and User Conference. He has presented at DEFCON and other industry conferences and regularly posts Wireshark analysis tips to his YouTube channel.



​ Starts August 12, 2023 14:00 Ends August 12, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Christopher Forte, Robert Fitzpatrick – The Petting Zoo: Breaking into CTFs

Workshop DC Forum Page


Title: Christopher Forte, Robert Fitzpatrick – The Petting Zoo: Breaking into CTFs

Scheduled Date and Time (Pacific Standard): Saturday, August 12, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/christo…=oddtdtcreator

Max Class Size: 80




Abstract:

Breaking into the capture the flag (CTF) world can be daunting and many people are overwhelmed when faced with participation in these events and challenges. With how beneficial the various challenges can be to both beginners and seasoned professionals, we want to demystify this world and help people get the most out of them.

This workshop will start with an overview of the CTF landscape, why we do them, and what value they have in the scope of the hacking community. This presentation will include various resources and a few simple demos to show how to approach a CTF and how it may differ from "real world" hacking challenges that many of us face in our professions. Next, a short CTF will be hosted to give attendees hands-on experience solving challenges with the ability to ask for help and will be guided through the approach to successfully navigating these challenges. Upon completion, the group will have worked through various types of hacking challenges and will have the confidence to participate in other CTFs hosted throughout the year.

Areas of focus will include:

* Common platforms and formats

* Overview of online resources, repositories, and how to progress

* Common tools used in CTFs and hacking challenges

* Basics of web challenges

* Basics of binary exploitation and reversing challenges

* Basics of cryptographic challenges

* Basics of forensic and network traffic challenges




Skill Level: Beginner

Prerequisites for students:

– Be curious about CTFs and have a very basic knowledge of or exposure to fundamental topics (e.g., Linux, websites, networking, data encoding and encryption)

– Exposure to the above concepts will help during the workshop defined CTF challenges but is not required for the workshop




Materials or Equipment students will need to bring to participate:

– Laptop

– Debian-based Virtual Machine (e.g., Kali) is recommended

– Virtualized environment or Kali is not required but Kali will provide all the tools useful in solving the challenges and help standardize available tools. All challenge solutions will be possible using default Kali installations.

– A limited number of Kali-Chromebooks and hosted resources will be available for those having issues or unable to bring their own systems.




Bios:

Christopher Forte is a security researcher and a junky for learning, participating in CTFs, and solving challenges. He is curious, loves teaching others, and has a passion for breaking things. As a resident of Las Vegas, Christopher co-founded DC702, is the local Chapter President of TOOOL, and enjoys introducing people to the world of hacking and lock picking.




Robert Fitzpatrick is a military veteran of over 20 years. He began his cyber life leading the Information Assurance office, and quickly moved up to run the Network Operations Center, as well as the Network Test and Evaluation center. He has built multiple operations centers in both homeland and austere locations, purchased satellite infrastructures, and led vulnerability investigations for classified networks. He is also a co-founder of DC702 and enjoys training new students on an eclectic array of subjects surrounding his interests.



​ Starts August 12, 2023 09:00 Ends August 12, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Eigentourist – Hacking The Metal: An Intro to ARM Assembly Language Programming

Workshop DC Forum Page


Title: Eigentourist – Hacking The Metal: An Intro to ARM Assembly Language Programming

Scheduled Date and Time (Pacific Standard): Thursday, August 10, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/eigento…=oddtdtcreator

Max Class Size: 60




Abstract:

"RISC architecture is gonna change everything."

"Yeah. RISC is good."

So said Angelina Jolie and Jonny Lee Miller in 1995. And while many of us weren’t looking, RISC quietly changed everything.

This workshop will teach an introduction to low-level programming on the CPU that runs your favorite mobile games, apps, and everything else on your personal devices — and is now creeping onto the desktop and into the datacenters that run the world.

We will write assembly code for ARM CPUs, and run it on an emulated Raspberry Pi, using the QEMU emulator. In the process, we will learn the key differences between ARM and the Intel CPUs running our workstations and servers. We will also learn to parallelize operations using the Neon coprocessor, and communicate with devices via the Raspberry’s GPIO pins. Finally, we will explore and debug some misbehaving code, and in the end, we will emerge with a deeper understanding of low-level operations as they occur on the devices that play a vital role in our present and our future.




Skill Level: Intermediate

Prerequisites for students: Some previous coding experience is helpful, but mostly, a healthy curiosity




Materials or Equipment students will need to bring to participate: Laptop with wifi connectivity, if wishing to participate




Bio:

Eigentourist is a programmer who learned the craft in the early 1980s. He began formal education in computer science when the height of software engineering discipline meant avoiding the use of GOTO statements. Over the course of his career, he has created code of beautiful simplicity and elegance, and of horrific complexity and unpredictability. Sometimes it’s hard to tell which was which. Today, he works on systems integration and engineering in the healthcare industry.



​ Starts August 10, 2023 09:00 Ends August 10, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Guillaume Ross, Austin Kelleher, Adam Pierson – Starbase: open source graph security analysis

Workshop DC Forum Page


Title: Guillaume Ross, Austin Kelleher, Adam Pierson – Starbase: open source graph security analysis

Scheduled Date and Time (Pacific Standard): Saturday, August 12, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/guillau…=oddtdtcreator

Max Class Size: 70




Abstract:

Security teams are overwhelmed with data. How does a user account relate to a server, an application? Does this vulnerability put this important data at risk, or does it simply expose a few systems we care about much less? Who really has access to these files? This is vulnerable, but the firewall won’t let traffic to the service, or will it?




These types of questions are very difficult to answer in a vacuum as they require context. With the power of graphs, and Starbase, an open source graph security analysis tool, we will be able to import the data that allows us to answer them using the graph.




John Lambert said “Defenders think in lists, attackers think in graphs”. Join us, so we can get a lot more people thinking in graphs!




Skill Level: Intermediate

Prerequisites for students:

Ability to use Docker when provided with commands. Basic understanding of IT and security issues in cloud environments.




Materials or Equipment students will need to bring to participate: A laptop with Docker as well as a few docker images pulled in advance.

Due to the brittle nature of conference Wi-Fi, we’d send instructions in advance, so as many people as possible will have downloaded it.




Bio:

Guillaume has worked on the blue-team side of security for close to two decades now, and loves to do things because they MATTER and not just because everyone else in security is doing the same. He leads the security and IT teams at JupiterOne.




Austin Kelleher is a Principal Software Engineer as well as a founding member at JupiterOne. He leads the team responsible for maintaining 100+ open-source projects at JupiterOne. His background has primarily been focused on developing cloud-based software systems and tools that interact with graphs for security analysis. Prior to moving to the security industry, Austin was an engineer at eBay building Marko and Lasso, which are the open-source web tools that power the eBay.com web experience.




Adam Pierson is a Senior Software Engineer at JupiterOne. His diverse experience includes time as an embedded software engineer, an R&D analyst working on adopting emerging technologies within large corporate IT environments, and as a developer demonstrating the value of using graph databases to solve complex problems. Currently he is on JupiterOne’s Integration team working on development tools and continuing work on the open-source Starbase project.




​ Starts August 12, 2023 14:00 Ends August 12, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Harley Geiger, Amit Elazari – How hackers can send feedback directly to policymakers like the pros

Workshop DC Forum Page


Title: Harley Geiger, Amit Elazari – How hackers can send feedback directly to policymakers like the pros

Scheduled Date and Time (Pacific Standard): Friday, August 11, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/harley-…=oddtdtcreator

Max Class Size: 70




Abstract:

The first official comments on security policy live from DEF CON. The workshop will show hackers how to go through the process of submitting official comments to regulations and legislation.

Meeting with policymakers is only one way to make your voice heard. There are also formal channels for submitting written feedback on policy proposals that become a critical part of the record for regulations. These channels are open to the public, but non-policy professionals don’t always know how to access or make the most effective use of them.

This workshop will walk security researchers through the process of using regulations.gov and congress.gov to find open opportunities to influence regulations, and actually submit official comments via those channels from the workshop. The workshop will also talk through how to form an advocacy strategy to amplify the impact of the comments – for example, how to find the right policymakers and staff to follow up with.

The workshop will be led by policy professionals with deep ties to the security community.




Skill Level: All Levels

Prerequisites for students: None

Materials or Equipment students will need to bring to participate: To walk through the process and/or submit comments, bring a laptop, iPad, or other connected device you can type on.




Bios:

Harley Geiger is Counsel and Senior Director at Venable, LLP, where he leads the Security Research Legal Defense Fund and the Hacking Policy Council and counsels clients on a variety of cybersecurity issues. Prior to this, Geiger was Senior Director for Public Policy at Rapid7, where he worked to expand adoption of vulnerability disclosure and legal protections for security research. Geiger also worked as Senior Legislative Counsel in the U.S. House of Representatives, where he drafted Aaron’s Law, and served as Advocacy Director at the Center for Democracy & Technology.




Dr. Amit Elazari is Co-Founder and CEO of OpenPolicy, the world first tech-enabled policy and advocacy company, aiming to democratize access to information concerning future regulation action, policy and lobbying to entities of all sizes by leveraging scale and technology. Prior to OpenPolicy, she served as Head of Cybersecurity Policy for Intel Corp and chaired the Cybersecurity Committee for the Information Technology Industry Council (ITI) among others. She holds a Doctoral Degree in the Law (JSD) from Berkeley Law, and graduated summa cum laude with three prior degrees in law and business. Her research appeared in leading academic journals, key conferences such as RSAC, Black Hat, DEFCON, Bsides, and USENIX, and was featured at the WSJ and NYT. She co-founded Disclose.io, a non-profit that foster adoptions of legal protections for good-faith security research. Amit has a diverse background in technical, policy, and legal roles, and practiced Hi-tech, Venture Capital, and M&A law at Israel’s largest law firm, Goldfarb Gross Seligman & Co.



​ Starts August 11, 2023 14:00 Ends August 11, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Jake "Hubble" Krasnov, Dylan "CyberStryke" Butler, Kevin “Kent” Clark – Long Live the Empire…

Workshop DC Forum Page


Title: Jake "Hubble" Krasnov, Dylan "CyberStryke" Butler, Kevin “Kent” Clark – Long Live the Empire: A C2 Workshop for Modern Red Teaming

Scheduled Date and Time (Pacific Standard): Friday, August 11, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/jake-hu…=oddtdtcreator

Max Class Size: 80




Abstract:

Command and Control (C2) is a crucial component of modern Red Teams and Advanced Persistent Threats (APTs), enabling persistent connections to target networks and facilitating the spread of control throughout the infrastructure. This comprehensive workshop will provide an in-depth understanding of C2 concepts by utilizing the open-source Empire C2 framework. Participants will gain valuable insights into the deployment, features, and real-world application of C2 in offensive security. Attendees will learn how to leverage the powerful Empire framework to create, customize, and execute advanced attack scenarios, honing their skills as red team operators.

The workshop will cover a range of topics, from setting up Empire, understanding listeners, stagers, and agents, to exploring Empire’s modules and evasion techniques. Participants will engage in hands-on exercises, building their proficiency in configuring and deploying Empire servers, interacting with clients, and implementing various listeners and modules. The workshop will culminate in a mini Capture-The-Flag (CTF) challenge, where attendees will apply their newfound knowledge in a cloud-hosted environment provided by the instructors.




Skill Level: Beginner

Prerequisites for students: Basic computer abilities




Materials or Equipment students will need to bring to participate: Laptop with a Kali Linux VM




Bios:

Jake "Hubbl3" Krasnov is the Red Team Operations Lead at BC Security. He has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Hubbl3 has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/ .




Kevin “Kent” Clark is a Security Consultant with TrustedSec and Red Team Instructor with BC Security. His previous work includes Penetration Testing and Red Team Operator, focusing on initial access and active directory exploitation. Kevin contributes to open-source tools such as PowerShell Empire and publishes custom security toolkits such as Badrats and WindowsBinaryReplacements. Kevin authors a cybersecurity blog at https://henpeebin.com/kevin/blog .




Dylan "CyberStryke" Butler is an Offensive Infrastructure Developer at BC Security. He began his career as a software engineer, developing high-performance systems for major tech companies. His passion for cybersecurity led him to specialize in offensive infrastructure development, where he now designs and builds robust frameworks to support red team operations.



​ Starts August 11, 2023 09:00 Ends August 11, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – James Hawk, Lander Beyer, Daniel Costantini – Hide your kids, turn off your Wi-Fi, they Rogue…

Workshop DC Forum Page


Title: James Hawk, Lander Beyer, Daniel Costantini – Hide your kids, turn off your Wi-Fi, they Rogue APing up in here

Scheduled Date and Time (Pacific Standard): Thursday, August 10, 2023, at 1400-1800 PDT

EventBrite Link: https://www.eventbrite.com/e/james-h…=oddtdtcreator

Max Class Size: 25




Abstract:

This workshop will teach you how to deploy Rogue APs in your client’s environment. Using Rogue APs lets you test your client’s Wireless Intrusion Detection System, passwords, wireless phishing education, and overall wireless security. We will discuss Rogue AP Tactics, Techniques, and Procedures, and how and why they work. In this workshop we will walk through setting up an OPEN, CAPTIVE PORTAL, WPA2, and 802.1x Rogue AP. We will also go over OWE and WPA3-SAE transition mode Rogue APs.

The primary goal is setting up Rogue APs to harvest credentials. In the workshop, we will walk through a scenario at a client’s site, then set up a Rogue AP to harvest users’ credentials for the various networks at the site. We will go through how to crack the harvested credentials. We will be using EAPHAMMER, HOSTAPD-MANA, WIFIPHISHER, and AIRBASE-NG for the Rogue AP portion, HASHCAT, AIRCRACK-NG, and JOHN for the cracking portion. This workshop is for beginners, but participants should have basic Linux and 802.11 knowledge and be comfortable using virtual machines.




Recommended reading/viewing:

https://posts.specterops.io/modern-w…s-35a8571550ee

https://sensepost.com/blog/2015/impr…ks-mana-1%2F2/

https://www.youtube.com/watch?v=i2-jReLBSVk




Skill Level: Beginner

Prerequisites for students: None




Materials or Equipment students will need to bring to participate:

Laptop with 8 GBS RAM

Virtual Box / VMware Installed

Wireless card with Access Point Mode and monitor mode. Recommended chip set AWUS036ACM.




Bios:

James Hawk (He/Him) is a Senior Consultant with Mandiant, within Proactive Services. He is the wireless subject matter expert for his team. James has led and contributed to dozens of assessments (Red Teams and Pen Tests). He has developed internal training and tool updates for 802.11 for his company. James is a 20-year veteran of the U.S. Army and has over 10 years hands-on experience in wireless technologies. James is always researching/testing 802.11 attacks against his home lab. He is a fan of hockey, LetterKenny, and almost anything sci-fi.




Lander Beyer (He/Him) is the Manager of Mandiant’s Proactive Services team within their Global Government section. Lander has performed dozens of penetration testing services against State, Local, and Education (SLED) organizations, to include wireless and physical assessments. Lander is a cyber branch warrant officer in the California Army National Guard, and a proud husband and father of two. He enjoys table tennis, long walks in the rain, and Domain Admin.




Daniel Costantini is a Principal Consultant with Mandiant, within Proactive Services. He is a Red Team/Penetration Testing subject matter expert in a variety of disciplines. Daniel has led and contributed to over a hundred Penetration/Red Team assessments. Over the years he has gained vast experience in living off the land, application, web, and network penetration testing. He continues, to strengthen his expertise in advanced wireless assessments. Daniel is a 17-year veteran of the United States Air Force (USAF) with ten of those years on active-duty and continues to serve in the United States Air Force Reserves. He has performed Penetration tests for USAF while on active duty and as a civilian contractor. He enjoys spending time with his family, playing games, and relaxing in front of the television.
​ Starts August 10, 2023 14:00 Ends August 10, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Josh Kamdjou, Alfie Champion – Email Detection Engineering and Threat Hunting Inbox

Workshop DC Forum Page


Title: Josh Kamdjou, Alfie Champion – Email Detection Engineering and Threat Hunting Inbox

Scheduled Date and Time (Pacific Standard): Saturday, August 12, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/josh-ka…=oddtdtcreator

Max Class Size: 80




Abstract:

Email remains the #1 initial access vector for commodity malware and nation state actors. Historically, tackling email-based threats has been considered the purview of black-box vendor solutions, with defenders having limited scope (or tooling!) to swiftly and effectively respond to emerging attacker activity and novel offensive tradecraft.

In this workshop, attendees will be given detailed insight into the latest techniques used to deliver prevalent malware strains, including QakBot and Emotet, and will hunt through email data to identify this malicious activity, developing rules to detect and block these attacks.

Initially attendees will be introduced to the foundational technologies that enable threat hunting, detection engineering, and response in the email domain, before being given access to the email data of a fictitious company seeded with benign and real-world attack data. Throughout the day, participants will learn to hunt common phishing techniques including:

– VIP Impersonations

– HTML smuggling via links/attachments

– Malicious VBA macros

– OneNote / LNK file malware (attachments, and links to auto-downloads)

– PDF attachments with embedded links to malware (PDF -> URL -> ZIP -> WSF)

– Lookalike domains / homoglyph attacks

– Credential phishing

– Password protected archives

– Exploits (e.g. CVE-2023-23397, CVE-2021-40444)

– Fake invoices (Geek Squad)




Attendees will be guided through the rule creation process, utilizing free and open detection engines including Sublime and Yara, and will be introduced to the signals and email attributes that can be used to craft high-fidelity rules, including targeted user groups, sentiment analysis, sender domain age, and attachment analysis. Having completed the workshop, attendees will have a strong understanding of the tools and techniques at their disposal to defend their organizations from all manor of email threats.




Skill Level: Beginner

Prerequisites for students: N/A. The training will cater to security practitioners with any level of technical experience. While a general understanding of email threats will be advantageous, all offensive and defensive techniques and tools in the training will be introduced at a foundational level and built on throughout the day.




Materials or Equipment students will need to bring to participate: Attendees should bring their own laptops in order to be hands-on, preloaded with Docker. Instructions to run the Docker images from Github will be shared. All tools used in this lab are free and/or open-source.




Bio:

Josh has been doing offensive security-related things for the past 12 years. He’s spent most of his professional career breaking into networks via spear-phishing and other methods, and building software for both the public (Department of Defense) and private sectors. Josh is the Founder and CEO of Sublime Security, and in his private life enjoys weight lifting, Martial Arts, soccer, and spending time with his niece and nephew.




Alfie specializes in the delivery of attack detection and adversary emulation services, actively contributing education content, tooling and blogs to further the industry. He has previously worked with organisations across multiple industry verticals to uplift and validate their detective capability through red or purple team engagements, and now leads the global adversary emulation function at a FTSE 250 company. He has previously spoken at BlackHat USA, RSA and Blue Team Con 2022, among others, and is the co-founder of DelivrTo.
​ Starts August 12, 2023 09:00 Ends August 12, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Kristy Westphal – Analysis 101 for Incident Responders

Workshop DC Forum Page


Title: Kristy Westphal – Analysis 101 for Incident Responders

Scheduled Date and Time (Pacific Standard): Thursday, August 10, 2023, at 1400-1800 PDT

EventBrite Link: https://www.eventbrite.com/e/kristy-…=oddtdtcreator

Max Class Size: 90




Abstract:

You have a theory about something you have found while roaming the network or conducting your own hackfest, but how do you go about proving it? This workshop will be a hands-on journey deep into the world of analysis. While analysis is a bit of an art form, there are methods that can be applied to make it less of a gut feeling and more of a scientific approach to support your hypothesis. From network forensics to log analysis to endpoint forensics and cloud log analysis, we will review numerous quick methods (including some analysis wizardry with R) to gain context over the data you have gathered and apply critical thinking in an attempt to find the answers. Sometimes, the answers weren’t meant to be found, but we’ll also discuss how to make the best of any conclusion that you reach.




Skill Level: Beginner to Intermediate

Prerequisites for students: A curiosity for security!




Materials or Equipment students will need to bring to participate: Will need a laptop with Wireshark and R installed.




Bio:

Kristy Westphal is a versatile information technology professional with specific experience in providing advisory and management services in the area of information security and risk is currently employed as the Vice President, Security Operations at a financial services company. Specializing in leadership and program development, specific expertise in security areas includes: process analysis, risk assessments, security awareness programs, operating system security, network security, incident handling, vulnerability analysis and policy development.
​ Starts August 10, 2023 14:00 Ends August 10, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Maria Uretsky, Kavia Venkatesh, Sajjad "JJ" Arshad, Olivier Tuchon – Android App Hacking – Hack…

Workshop DC Forum Page


Title: Maria Uretsky, Kavia Venkatesh, Sajjad "JJ" Arshad, Olivier Tuchon – Android App Hacking – Hacking for Good!

Scheduled Date and Time (Pacific Standard): Friday, August 11, 2023, at 0900-1300 PDT

EventBrite Link: https://www.eventbrite.com/e/maria-u…=oddtdtcreator

Max Class Size: 50




Abstract:

Welcome to the world of Android Hacking! This is a hands-on workshop designed to introduce you to the knowledge, tools and techniques for analyzing and exploiting vulnerabilities in Android applications.

The workshop will start by presenting hacking for good, insights on the Android bug bounty, then it will cover the basic concepts of Android applications, walk you through industry standard tools and techniques and then let you experiment on your own with our Android reverse engineering CTF!




Come and hack with us!

The workshop requires no prior knowledge of Android or reverse engineering.




Skill Level: Beginner to Intermediate

Prerequisites for students: Before the workshop, students should follow the setup instructions to ensure they can start working on the CTFs in the workshop.
https://tinyurl.com/aah-setup

There is no pre-required knowledge.




Materials or Equipment students will need to bring to participate: Laptop with 20+ GB free hard disk space 4+ GB RAM

Mac. Windows 7/8 , Ubuntu 12.x + (64 bit Operating System),

ADB, apktool, Python & pip, JDK, jadx, Burp Suite, Wireshark, Frida, Ghidra

Administrative access on your laptop




Bio:

Maria Uretsky is leading the Android Vulnerability Rewards program at Google. Her passion is to break all the things before the bad actors do, to ensure they are kept out. During her 10+ years of software engineering and security work, she has been part of Google Cloud Security, Azure Sentinel, Windows Defender and AVG.




Kavia Venkatesh is a Technical Program Manager on the Android Security Team at Google where she leads the execution of the Android Security Release Program aka Android Security Bulletin. Over the last 7+ years has led numerous security initiatives. Now, she’s passionate about sharing her knowledge with the world.




JJ is a Senior Security SWE at Google’s Android Security & Privacy team where he is developing tools to fight abuse in Android with focus on JavaScript-based frameworks. He has also designed CTF challenges and helped organize GoogleCTF in the past few years. Before Google, he was a Cybersecurity researcher at iSecLab and earned his PhD in Cybersecurity from Northeastern University, Boston, MA. Some domains he is active in are large-scale web security & privacy measurement, program analysis, and Malware detection.




Olivier Tuchon is a Security Engineer on the Android Vulnerability Research team. Olivier has been working at Google for almost 5 years, he started by chasing malware/PHA in the Play Store and into the wild (OffMarket) with a speciality in Stalkerware. Now, Olivier looks for vulnerabilities in 3P Android applications. Before Google, Olivier had been a Security Engineer in the French Army for 12 years.
​ Starts August 11, 2023 09:00 Ends August 11, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Matt Cheung – Introduction to Cryptographic Attacks

Workshop DC Forum Page


Title: Matt Cheung – Introduction to Cryptographic Attacks

Scheduled Date and Time (Pacific Standard): Thursday, August 10, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/matt-ch…=oddtdtcreator

Max Class Size: 30




Abstract:

Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world, including CVE-2020-0601. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with Python dependencies and skeleton code included so you can focus on implementing the attack. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap. Participants should have VMWare, VirtualBox, or some other VM software installed.




Skill Level: Beginner to Intermediate

Prerequisites for students: Students should be comfortable with modular arithmetic and the properties of XOR. Experience in Python or other similar language will be a plus.




Materials or Equipment students will need to bring to participate: A laptop with VMWare or VirtualBox installed and capable of running a VM.




Bio:

Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh’s crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given workshops at the Boston Application Security Conference, BSidesLV, DEF CON, and the Crypto and Privacy Village.



​ Starts August 10, 2023 09:00 Ends August 10, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Max Kersten – DotNet Malware Analysis Masterclass

Workshop DC Forum Page


Title: Max Kersten – DotNet Malware Analysis Masterclass

Scheduled Date and Time (Pacific Standard): Thursday, August 10, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/max-ker…=oddtdtcreator

Max Class Size: 35




Abstract:

DotNet based malware originally started out as a novelty, but has shown it is here to stay. With DotNet malware being used by APT actors and script kiddies, and anything in-between, it is safe to say that one will encounter it sooner rather than later. This four-hour workshop primarily focuses on the analyst mindset and fundamental knowledge, including topics such as loaders, unpacking, obfuscation, DotNet internals, and (un)managed hooks. In short, one will learn how to analyse DotNet malware, and write automatic unpackers. As such, this class is perfect for aspiring and beginning analysts, while also providing background information and additional techniques for intermediate analysts.

The workshop’s materials will partially consist of actual malware samples, the precautions for which will be explained in-detail during the workshop, ensuring the safety and integrity of the systems of the attendees. A laptop with a preinstalled VM based Windows 10 trial, along with the community edition of Visual Studio (2019 or later) and the DotNet Framework runtime for version 3.5 and later. Other tools, such as dnSpyEx, de4dot, and DotDumper, can be downloaded during the workshop, as these are insignificant in size.

Knowing how to read VB.NET/C# is a prerequisite. Being able to write in C# is preferred, but the workshop can be followed without being able to, although a part of the exercises cannot be completed without it.

Questions about the workshop can be asked via my open Twitter DMs: @Libranalysis ( https://twitter.com/Libranalysis )




Skill Level: Beginner to Intermediate

Prerequisites for students:

– Have sufficient disk space and RAM to run one Windows 10 VM, along with a few gigabyte additional extra space

– Be able to understand VB.NET/C# and preferably (though not mandatory) be able to write in either of those languages

– Be able to run a Windows 10 VM

– Have a Windows 10 VM preinstalled in a virtual environment of choice (i.e., VirtualBox, VMWare)

– Have Visual Studio (2019 or later) installed, along with the DotNet Framework 3.5 and higher

– Analysis tools will be provided (i.e. open-source tools such as dnSpyEx) as their file size is minimal

– Malware samples and exercises will be provided on-location




Materials or Equipment students will need to bring to participate: A laptop capable of running one Windows 10 VM, with the above-mentioned programs installed, and sufficient free disk space




Bio:

Max Kersten is a malware analyst, blogger, and speaker who aims to make malware analysis more approachable for those who are starting. In 2019, Max graduated cum laude with a bachelor’s in IT & Cyber Security, during which Max also worked as an Android malware analyst. Currently, Max works as a malware analyst at Trellix, where he analyses APT malware and creates open-source tooling to aid such research. Over the past few years, Max spoke at international conferences, such as Black Hat Arsenal (USA, EU, MEA, Asia), Botconf, Confidence-Conference, HackYeahPL, and HackFestCA. Additionally, he gave guest lectures and workshops for several universities and private entities.



​ Starts August 10, 2023 14:00 Ends August 10, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Maxine Filcher, Zach Reavis – BLE Security 201

Workshop DC Forum Page


Title: Maxine Filcher, Zach Reavis – BLE Security 201

Scheduled Date and Time (Pacific Standard): Saturday, August 12, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/maxine-…=oddtdtcreator

Max Class Size: 80




Abstract:

There have been plenty of talks on intro BLE security topics, it’s time for us to put it to use. This workshop will serve as a refresher for the BLE skills gained in previous talks, while walking students to the next level through utilizing BLE as an initial ingress vector to compromise a simulated corporate network. Come join us while we demonstrate the importance of investigating all wireless protocols in your corporate environment.




Skill Level: Intermediate

Prerequisites for students: None




Materials or Equipment students will need to bring to participate:

Laptop

Android Phone




Bio:

Maxine, or Freqy, is a US Army Veteran, possessing a master’s degree in Cybersecurity and is widely recognized for her expertise in wireless security. In sharing her knowledge, she has delivered many presentations over the last five years, exploring various facets of wireless security. Maxine’s grasp of BLE security has helped her play pivotal roles in assisting numerous large-scale corporations in fortifying the security of consumer devices that are ubiquitous to millions of households worldwide




Zach, also known as justadequate, is an OSCP-certified wireless security expert specializing in waveform reverse engineering, exploit development, and embedded systems penetration testing. Demonstrating in-depth knowledge and experience in these areas, he has worked in both consulting and formal security test and engineering roles to develop, assess, and secure systems ranging from aircraft to SCADA/ICS to IoT/home-use devices deployed around the world.
​ Starts August 12, 2023 09:00 Ends August 12, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Maxwell Dulin, Nathan Kirkland, Zachary Minneker, Kenzie Dolan, Elizabeth St. Germain – House…

Workshop DC Forum Page


Title: Maxwell Dulin, Nathan Kirkland, Zachary Minneker, Kenzie Dolan, Elizabeth St. Germain – House of Heap Exploitation

Scheduled Date and Time (Pacific Standard): Friday, August 11, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/maxwell…=oddtdtcreator

Max Class Size: 90




Abstract:

Heap exploitation is an incredibly powerful tool for a hacker. As exploit mitigations have made exploitation more difficult, modern exploit development has moved to the heap. However, heap exploitation is a major wall in the binary exploitation journey because of its complexity. To conquer this difficultly, the workshop tackles the complexity head on by diving into the weeds of the allocator directly, taking on many hands-on exercises/challenges and creating easy to grasp diagrams to understand all of the concepts.




This workshop is for learning heap exploit development in glibc Malloc, which is the default allocator on most Linux distributions. With this hands-on introduction into glibc Malloc heap exploitation you will learn how the allocator functions, heap specific vulnerability classes and to pwn with a variety of techniques. To make the material easy to consumable, there are many hands-on exercises, a pre-built virtual machine with everything necessary for binary exploitation and an immense amount of visuals for explaining the material. After taking this course you will understand the internals of the glibc Malloc allocator, be able to uncover heap memory vulnerabilities and pwn the heap with a variety of techniques, with the capability to go further into the art afterwards.




Skill Level: Intermediate

Prerequisites for students:

– Basic computer science background (x86_64 assembly, stack, programming skills in C & Python)

– Basic binary exploitation skills (buffer overflow exploitation, ROP, ASLR, etc.)

– Familiar with Linux developer tools such as the command line, Python scripting and GDB.




Materials or Equipment students will need to bring to participate:

– Laptop with enough power for a moderately sized Linux VM:

– ARM based MacOS has support through either QEMU or servers that people can use.

– Administrative access to the laptop

– 8GB RAM minimum

– 30GB harddrive space

– Virtualbox or another virtualization platform installed




Bio:

Maxwell Dulin (also known as Strikeout) loves hacking all things under the sun. In his day job, he works as a security engineer primarily focused on web applications. But at night, he leaves the tangled web into the open space of radio signals, garage doors, scoreboards, RC cars, and pwn challenges. From the latter, he gained enough expertise to create a heap exploitation course that has been delivered at a number of security conferences, including DEFCON. In his spare time, he has found Linux kernel 0-days, and reverse engineered numerous wireless devices. To summarize, if you put something in front of him, he’ll find a way to break it and make it do what he wants.




Raised on a steady diet of video game modding, when Nathan found programming as a teenager, he fit right into it. Legend says he still keeps his coffee (and tear) stained 1980s edition of The C Programming Language by K&R stored in a box somewhere. A few borrowed Kevin Mitnick books later, he had a new interest, and began spending more and more time searching for buffer overflows and SQL injections. Many coffee fueled sleepless nights later, he had earned OSCP, and graduated highschool a few months later. After a few more years of working towards a math degree and trying fervently to teach himself cryptanalysis, he decided to head back to the types of fun hacking problems that were his real first love, and has worked at Security Innovation ever since.




Zachary Minneker is a security researcher and security engineer at Security Innovation. His first computer was a PowerPC Macintosh, an ISA which he continues to defend to this day. At Security Innovation, he has performed security assessments on a variety of systems, including robots for kids, audio transcription codecs, and electronic medical systems. He has previous experience administrating electronic medical systems, and deep experience in fuzzing, reverse engineering, and protocol analysis. His research has focused on techniques for in-memory fuzzing, macOS sandbox security, and IPC methods.




Kenzie Dolan works for Security Innovation as a Security Engineer focusing on engagements ranging from IoT hacking to kiosk exploitation. Her current research interests include emerging threats against Mobile and IoT devices. She has a degree in Computer and Information Science from University of Oregon. In her free time, Kenzie enjoys composing music, playing video games or hiking in the greater Seattle area.




Elizabeth St. Germain started hacking from a young age when very few inputs were sanitized. She worked in systems administration and video game development before settling into hacking as a career. She now focuses her time on web and hardware hacking, with a desire to explore the security impacts that video games can have on consumers. Most of her free time is split between either min/maxing games, competing in CTFs, exploring urban areas and nature, or making music.



​ Starts August 11, 2023 09:00 Ends August 11, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Michael Solomon, Michael Register – Digital Forensics and Incident Response Against the Digital…

Workshop DC Forum Page

Michael Solomon, Michael Register – Digital Forensics and Incident Response Against the Digital Darkness: An Intro to Forensicating Evil


Title: Michael Solomon, Michael Register – Digital Forensics and Incident Response Against the Digital Darkness: An Intro to Forensicating Evil

Scheduled Date and Time (Pacific Standard): Saturday, August 12, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/michael…=oddtdtcreator

Max Class Size: 80




Abstract:

Are you ready to step into the shoes of a cybersecurity or incident response analyst? Whether you’re new to investigation or looking to take your analysis skills to the next level, we’ve got an exciting opportunity for you! Join mR_F0r3n51c5 and S3curityNerd for a four-hour class that will take you on a journey through the world of malware analysis and investigation.

In today’s ever-evolving threat landscape, malware continues to be a weapon of choice for various types of threat actors. Our class leverages forensic and malware analysis fundamentals to teach students how to investigate a compromised Windows system. To ensure the most up-to-date learning experience, the class authors have carefully selected fresh malware samples trending in 2023.

By the end of this class, you’ll have the skills to:

· Build analysis skills that leverage complex scenarios and improve comprehension

· Practically acquire data in a forensically sound manner

· Identify common areas of malware persistence

· Gather evidence and create a timeline to characterize how the system was compromised

· Participate in a hand-to-keyboard combat capstone where you’ll be given an image of a compromised Windows system and demonstrate your newly acquired analysis skills.

Don’t miss this opportunity to gain hands-on experience and take your analysis skills to the next level. Join us and discover the exciting world of forensic analysis and investigation!




Skill Level: Intermediate

Prerequisites for students:




Materials or Equipment students will need to bring to participate:

– Students will be required to download material (e.g., Virtual Machine). Students will be given a URL for download access.

– Regarding the downloaded virtual machines, these should be imported into your virtual machine software and ready before the start of class. If any additional technical support is needed, the instructors will make themselves available online.

– Students must have a laptop that meets the following requirements:

– A 64-bit CPU running at 2GHz or more. The students will be running one virtual machine on their host laptop.

– Have the ability to update BIOS settings. Specifically, enable virtualization technology such as "Intel-VT."

– The student must be able to access their system’s BIOS if it is password protected. This is in case of changes being necessary.

– 8 GB (Gigabytes) of RAM or higher

– At least one open and working USB Type-A port

– 50 Gigabytes of free hard drive space, allowing you the ability to host the VMs we distribute

– Students must have Local Administrator Access on their system.

– Wireless 802.11 Capability

– A host operating system that is running Windows 10+, Linux, or macOS 10.4 or later.

– Virtualization software is required. The supplied VMs have been built for out-of-the-box comparability with VMWare Workstation or Player. Students may use other software if they choose, but they may have to troubleshoot unpredictable issues. Instructors cannot guarantee compatibility with all virtualization software suites.

At a minimum, the following VM features will be needed:

– NATted networking from VM to Internet

– Copy and Paste of text and files between the Host machine and VM





Bios:

Michael Solomon, also known as mR_F0r3n51c5, is a Threat Hunter with over 12 years of experience in Cyber Operations, Digital Forensics & Incident Response (DFIR), and Threat Hunting. His passion lies in helping to shape the next generation of cybersecurity analysts for a safer tomorrow.




Michael Register, known as S3curityNerd, with 7 years of combined experience in IT, Networking, and Cybersecurity. He holds multiple certifications and actively conducts post-exploitation research to enhance threat hunting operations.



​​ Starts August 12, 2023 14:00 Ends August 12, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Phil Young – These Port Scans are Trash: Improving Nmap by Writing New Scripts and Libraries

Workshop DC Forum Page


Title: Phil Young – These Port Scans are Trash: Improving Nmap by Writing New Scripts and Libraries

Scheduled Date and Time (Pacific Standard): Thursday, August 10, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/phil-yo…=oddtdtcreator

Max Class Size: 30




Abstract:

Does anyone know how old Nmap is? If you guessed 20 years old, you’d be wrong! It’s been around since 1997 when it was first released in Phrack magazine. Since the beginning, it’s been through multiple iterations and an entire community has developed around it. One of the most important additions to Nmap was the ability to add custom scripts. Changing Nmap from a simple port scanner to the swiss army knife of network scanners. Oftentimes, when zero days pop up, someone will write an nmap script to identify vulnerable servers within minutes. If you’ve ever wondered how people write Nmap scripts, what it would take to write your own and how you can use them, this workshop is for you.

Attendees in this workshop will learn how to understand and update the Nmap probe file, how to write Lua scripts (which Nmap scripting uses), how to write Nmap scripts to supplement the probe file, interact with custom services and ultimately write multiple Nmap scripts to do fun stuff with ports. Once attendees have a firm grasp of the Nmap scripting engine they will be introduced to writing Nmap libraries for use by their various scripts. This workshop contains many instructor lead labs so that attendees can see their code in action. To make this workshop worthwhile, a custom service running on a port has been created which the labs will allow you to probe and identify as the course goes on.

Nmap is the workhorse behind the scenes for so many pentesters, but the resources for writing scripts are limited. The hope is that by offering this workshop, more people will be able to write Nmap scripts for the betterment of all hackingkind.




Skill Level: Beginner

Prerequisites for students: Some basic understanding of how to write code (python, C, Lua, etc), how to use the Linux command line.




Materials or Equipment students will need to bring to participate: A laptop capable of running a linux VM




Bio:

Philip Young, aka Soldier of FORTRAN, is a leading expert in all things mainframe hacking. Having spoken and taught at conferences around the world, including DEFCON, RSA, BlackHat and keynoting at both SHARE and GSE Europe, he has established himself as the thought leader in mainframe penetration testing. Since 2013 Philip has released tools to aid in the testing of mainframe security and contributed to multiple opensource projects including Nmap, allowing those with little mainframe capabilities the chance to test their mainframes. He created the Nmap TN3270 library which enabled Nmap to scan and fingerprint z/OS mainframes and SNA networks. His hope is that through education others will create new libraries and scripts to force corporations to fix their shit.
​ Starts August 10, 2023 14:00 Ends August 10, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Raúl Calvo Laorden – Advanced WiFi Attacks for Red Team Professionals

Workshop DC Forum Page


Title: Raúl Calvo Laorden – Advanced WiFi Attacks for Red Team Professionals

Scheduled Date and Time (Pacific Standard): Friday, August 11, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/raul-ca…=oddtdtcreator

Max Class Size: 70




Abstract:

Wireless networks have become ubiquitous in today’s world, and Red Teams are increasingly using advanced WiFi attacks to gain unauthorized access to these networks. This workshop will focus on advanced WiFi attacks utilized by Red Teams to gain access to wireless networks. Participants will learn how to conduct WiFi reconnaissance, identify misconfigurations in wireless networks, create Rogue APs for launching phishing attacks, bypass WIDS, and more. The workshop is entirely virtual, and participants will have access to a lab environment where they can experiment safely. Participants must have prior knowledge of WiFi attacks on Open, WEP, and WPA2-PSK networks. The workshop covers advanced techniques for WiFi reconnaissance, creating custom TLS certificates, Rogue AP attacks, MSCHAPv2 Relay attacks, password spraying, ESSID stripping, and more. The workshop also covers the importance of Wireless Intrusion Detection Systems for Blue Teams and an example using Nzyme. Overall, this workshop is ideal for Red Team professionals looking to enhance their WiFi attack skills and stay ahead of the game.




Skill Level: Intermediate

Prerequisites for students: All participants in participating in this workshop must have a basic understanding of Linux, 802.11 protocol and Wireshark. Additionally, they must have prior knowledge of WiFi attacks on Open, WEP, and WPA2-PSK networks.




Materials or Equipment students will need to bring to participate: Participants must have access to a computer with a reliable internet connection and a virtualization software such as VirtualBox or VMware.




Bio:

Raúl Calvo Laorden is a Spanish Senior Cybersecurity Analyst (Pentester) who is known in the online community as r4ulcl. He has a keen interest in hacking, particularly in Active Directory (AD), WiFi, and Radio Frequency (RF). Raúl enjoys working with Docker and git. He also has a passion for music, video games, and tinkering with electronic devices.

Raúl is the author of WiFiChallenge Lab, a 100% virtualized realistic lab designed for learning and practicing wifi hacking (presented in RootedCON 2022). He is also the creator of wifi_db, a script that parses Aircrack-ng captures into a SQLite database, extracting valuable information such as handshakes, MGT identities, interesting relations between APs, clients and their probes, WPS information, and a global view of all the APs seen. Additionally, he holds the OSCP and CRTP certifications.

In his free time, Raúl dedicates himself to programming hacking and cybersecurity tools. He also maintains his own micro-datacenter consisting of multiple servers and services where he continually learns and practices new technologies.
​ Starts August 11, 2023 14:00 Ends August 11, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Robert Koehlmoos – Getting into Trouble with Machine Learning Models

Workshop DC Forum Page


Title: Robert Koehlmoos – Getting into Trouble with Machine Learning Models

Scheduled Date and Time (Pacific Standard): Friday, August 11, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/robert-…=oddtdtcreator

Max Class Size: 20




Abstract:

This workshop is a beginner’s introduction to deep learning with neural networks, going from fundamentals to the latest in models for image editing, object recognition, and automated pen testing using large language models. It starts with an introduction to the theory behind deep learning, with a few toy examples to give students a feel for how these systems are built. From there we shift focus to a tour of state of the art models with a focus on running open source models locally independent of proprietary corporate systems. These systems include captcha defeat, video search and tracking, and image editing, among others. Finally, students perform a pen testing capstone using AutoGPT and HuggingGPT to understand the latest in emergent large language model reasoning capabilities. Students should have a basic understanding of how to write Python code, the class will build from there. A laptop with 8Gb of RAM and 100GB of free space will be sufficient. Students may bring laptops with more powerful GPUs, but online resources will be available for more GPU intensive models.




Skill Level: Beginner

Prerequisites for students: None, this workshop will walk through all steps required to use and apply the models.




Materials or Equipment students will need to bring to participate: A laptop with at least 8Gb of RAM and 100GB available hard drive space. Must also be able to run a Linux based VM. This isn’t meant to be a high bar, free online resources will be used to supplement their laptop for larger models.




Students will need an OpenAI API token, which will require setting up a paid account with OpenAI. The final cost for API using in this class should be no more than $5. I wish there was not a requirement for this, but unfortunately some of the cutting edge application I want students to experiment with are only available in high enough quality using OpenAI’s products. This may change between this submission and the start date of the class at the rate of current AI advancement.




Bio:

Rob works as a lead machine learning engineer focusing on deep learning applications, primarily with language translation. His team works with the full pipeline of training, productionizing, and deploying machine learning applications. He is happy not only talking about theory and research but also the practicalities of model selection and designing products to meet user needs. He previously worked as a data scientist and has strong opinions about effective uses of data visualization and good UI design. He is only a little afraid of AI taking over everything.
​ Starts August 11, 2023 09:00 Ends August 11, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Rodrigo Montoro – Protecting the AWS ecosystem – Misconfigurations, IAM, and Monitoring

Workshop DC Forum Page


Title: Rodrigo Montoro – Protecting the AWS ecosystem – Misconfigurations, IAM, and Monitoring

Scheduled Date and Time (Pacific Standard): Thursday, August 10, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/rodrigo…s-668351787187

Max Class Size: 60




Abstract:

Cloud providers’ ecosystems have brought a lot of new challenges to companies and Security teams. Many new attack vectors create known and unknown attack vectors, generating a considerable need for further research and detection in this field.

In the current cloud security world, access keys are the new perimeter, and permissions associated with those keys are the limits. In many real-world scenarios, leaked access keys are the initial vectors to get into an organization’s cloud environments. Therefore, the least privilege and detection in real-time becomes critical.

Specifically, in AWS, we are talking about more than three hundred (300+) services that an attacker could create their specific attack path to achieve their goal. Considering this chaotic scenario, we developed this workshop to teach how to mitigate those new vectors and improve the company’s overall cloud security posture. The workshop will cover misconfigurations, AWS IAM (Identity and Access Management) least privilege, and control plane (Cloudtrail) monitoring.

This workshop will help organizations improve their cloud security posture in these three fields – misconfigurations, IAM permissions management, and control plane monitoring. There will be practical demonstrations, hands-on labs, and some Capture The Flag (CTF) to practice incident response.




Skill Level: Intermediate

Prerequisites for students: AWS basic to intermediate knowledge




Materials or Equipment students will need to bring to participate: Just bring a laptop. Demonstrations and Capture The Flag (CTF) exercises will be executed in my AWS account and using CTFd.




Bio:

Rodrigo Montoro has over 23 years of experience in Information Technology and Computer Security. For most of his career, he has worked with open-source security software (firewalls, IDS, IPS, HIDS, log management, endpoint monitoring), incident detection & response, and Cloud Security. Currently is Head of Threat & Detection Research at Clavis Security. Before that, he worked as Cloud Researcher at Tenchi Security, Head of Research and Development at Apura Cyber Intelligence, SOC/Researcher at Tempest Security, Senior Security Administrator at Sucuri, and Researcher at Spiderlabs. Author of 2 patented technologies involving innovation in the detection field. One is related to discovering malicious digital documents. The second one is in how to analyze malicious HTTP traffic. Rodrigo has spoken at several open source and security conferences (Defcon Cloud Village, OWASP AppSec, SANS (DFIR, SIEM Summit & CloudSecNext), Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE, ZonCon (Amazon Internal Conference), Blackhat Brazil, BSides (Las Vegas e SP)).



​ Starts August 10, 2023 09:00 Ends August 10, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Ryan Chapman, Aaron Rosenmund, Brandon DeVault – Active Directory Attacks: The Good, The Bad, and…

Workshop DC Forum Page


Title: Ryan Chapman, Aaron Rosenmund, Brandon DeVault – Active Directory Attacks: The Good, The Bad, and The LOLwut

Scheduled Date and Time (Pacific Standard): Saturday, August 12, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/ryan-ch…=oddtdtcreator

Max Class Size: 80




Abstract:

Threat actors such as ransomware affiliates around the world are carrying out attacks on Active Directory (AD) at scale. When doing so, such actors often stick to the mainstream in terms of attack methodologies and tooling. But… that’s lame! Why borrow tactics, techniques, and procedures (TTPs) that are so well known and thus readily detectable?! Come hang out with us as we provide an overview of AD, show the most common attack scenarios, then show you how to detect and prevent those very attacks. Stick around as we then transition to covering what you could, and should, be doing instead.

We will be providing a remote network range to which you will connect. Once in the range, you will be acting as the ransomware threat actor, “pentester” as they like to call themselves. You will carry out attacks such as enumeration via Bloodhound, credential discovery and compromise, pass the hash attacks, and kerberoasting via common tools such as Mimikatz & Rubeus. After carrying out the attacks yourself, you’ll then learn how to prevent and detect those very attacks. We’ll then show you custom-developed methods to carry out the same attacks without the reliance on well-known TTPs/tools. And even better, we’ll show you how you could, at least where it’s even possible, detect the more custom/advanced methodologies.

Join us if you are a blue teamer, red teamer, purple teamer, cyber defender, DFIR analyst… basically anyone who wants (or needs!) to learn to defend and/or attack Active Directory. Come for the tech, stay for the humor. See ya there!




Skill Level: Intermediate to Advanced

Prerequisites for students: The primary requirement for this course is a desire to learn and the determination to tackle challenging problems. In addition, having some familiarization with the following topics will help students maximize their time in this course:

– A general background in Digital Forensics & Incident Response (DFIR)

– Familiarity with blue team-oriented tools

– An understanding of general networking concepts

– Familiarity with Active Directory – though we’ll cover everything students need to know




Materials or Equipment students will need to bring to participate:

– A laptop with Linux/Windows/Mac desktop environment

– Networking capability: Students will be connecting to a remote network range – They will need a wireless NIC (assuming the workshop area provides Wi-Fi, not not we’ll need to know) that can be enabled along with administrator privileges on their system

– IMPORTANT: This workshop relies on network connectivity. Any student not able to connect to our range will be unable to follow along with the hands-on portion of the workshop.




Bios:

Ryan Chapman is the author of SANS’ “FOR528: Ransomware for Incident Responders” course, teaches SANS’ “FOR610: Reverse Engineering Malware” course, works as a principal incident response consultant for $dayJob, and helps run the CactusCon conference in Phoenix, Arizona, USA. Ryan has a passion for life-long learning, loves to teach people about ransomware-related attacks, and enjoys pulling apart malware. He has presented workshops at DefCon and other conferences in the past and knows how to create a step-by-step instruction set to maximize hands-on learning.




Aaron Rosenmund is the Director of Security Research and Content for Pluralsight, where he has also authored over 115 courses and technical labs across offensive and defensive security operations topics. Part time work includes service as an Cyber Warfare Operations office in the Delaware Air National guard, where he has also lead a 100+ member red team for the largest cyber exercise in the Nation, Cybershield. 4 years of highly rated talks and workshops have earned him the Distinguished speaker title from RSAC, and he looks forward to returning for the 3rd year to Defcon Workshops to bring practical emulation and testing capabilities to the people who need it most.




Brandon DeVault is a security researcher, blue teamer, and educator. Currently works as an author for Pluralsight and member of the FL Air National Guard. Prior experience includes work at Elastic and multiple deployments with Special Operations Command.
​ Starts August 12, 2023 09:00 Ends August 12, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Ryan Holeman – Learning to Hack Bluetooth Low Energy with BLE CTF

Workshop DC Forum Page


Title: Ryan Holeman – Learning to Hack Bluetooth Low Energy with BLE CTF

Scheduled Date and Time (Pacific Standard): Friday, August 11, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/ryan-ho…=oddtdtcreator

Max Class Size: 90




Abstract:

BLE CTF is a series of Bluetooth Low Energy challenges in a capture-the-flag format. It was created to teach the fundamentals of interacting with and hacking Bluetooth Low Energy services. Each exercise, or flag, aims to interactively introduce a new concept to the user.

Over the past few years, BLE CTF has expanded to support multiple platforms and skill levels. Various books, workshops, training, and conferences have utilized it as an educational platform and CTF. As an open source, low-cost of entry, and expandable education solution, BLE CTF has helped progress Bluetooth security research.

This workshop will teach the fundamentals of interacting with and hacking Bluetooth Low Energy services. Each exercise, or flag, aims to interactively introduce a new concept to the user. For this workshop, we will undergo a series of exercises to teach beginner students new concepts and allow more seasoned users to try new tools and techniques. After completing this workshop, you should have a good solid understanding of how to interact with and hack on BLE devices in the wild.

If you have done BLE CTF in the past, this class is still valuable. For advanced users, we offer BLE CTF Infinity, a sequel to BLE CTF. The workshop will also showcase new hardware platforms and client tools for interacting with and completing the exercises.

To prepare for the workshop, please follow the setup documentation located at https://github.com/hackgnar/ble_ctf/…kshop_setup.md




Skill Level: Beginner to Intermediate

Prerequisites for students: To prepare for the workshop, please follow the setup documentation located at https://github.com/hackgnar/ble_ctf/…kshop_setup.md




Materials or Equipment students will need to bring to participate:Preferably a Linux box with a Bluetooth controller or a Bluetooth USB dongle. An OSX or Windows machine with a Linux VM and USB passthough works as well but should be setup and tested before the workshop.




Bio:

Ryan Holeman resides in Austin, Texas, where he works as the CISO for the peer-to-peer payment platform Strike. He is currently pursuing a Ph.D. in cyber defense from Dakota State University. He has spoken at respected venues such as Black Hat, DEF CON, Lockdown, BSides, Ruxcon, Notacon, and Shmoocon. You can keep up with his current activity, open source contributions, and general news on his blog. His spare time is mostly spent digging into various network protocols, random hacking, creating art, and shredding local skateparks.
​ Starts August 11, 2023 14:00 Ends August 11, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Sam Bowne, Elizabeth Biddlecome, Kaitlyn Handelman, Irvin Lemus – Machine Learning for N00bs

Workshop DC Forum Page


Title: Sam Bowne, Elizabeth Biddlecome, Kaitlyn Handelman, Irvin Lemus – Machine Learning for N00bs

Scheduled Date and Time (Pacific Standard): Friday, August 11, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/sam-bow…=oddtdtcreator

Max Class Size: 80




Abstract:

Every technical product is now incorporating machine learning at an explosive rate. But most people, even those with strong technical skills, don’t understand how it works, what its capabilities are, and what security risks come with it. In this workshop, we’ll make machine learning models using simple Python scripts, train them, and evaluate their value. Projects include computer vision, breaking a CAPTCHA, deblurring images, regression, and classification tasks. We

will perform poisoning and evasion attacks on machine learning systems, and implement deep neural rejection to block such attacks.




No experience with programming or machine learning is required, and the only software required is a Web browser. We will use TensorFlow on free Google Colab cloud systems.

All materials and challenges are freely available at samsclass.info, and will remain available after the workshop ends.




Skill Level: Beginner

Prerequisites for students: None




Materials or Equipment students will need to bring to participate: A computer with a Web browser




Bios:

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000, and is the founder of Infosec Decoded, Inc. He has given talks and hands-on trainings at Black Hat USA, RSA, DEF CON, DEF CON China, HOPE, and many other conferences.

Credentials: PhD, CISSP, DEF CON Black Badge Co-Winner




Elizabeth Biddlecome is a consultant and instructor, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.




Kaitlyn Handelman is an offensive security engineer at Amazon. Her focus is cybersecurity in space. In addition to traditional penetration testing, Kaitlyn works on physical devices and RF signals. In her free time, she enjoys ham radio, astronomy, and her cat, Astrocat.




Irvin Lemus, CISSP is a Cyber Range Engineer at By Light IT Professional Services, training military personnel through international cyber security exercises. Irvin has been in the field

since 2006, involved with cybersecurity competitions since 2015 as a trainer, coach, and mentor. He also has taught IT and Cybersecurity courses at Coastline and Cabrillo

Colleges. He is the BACCC Cyber Competitions Regional Coordinator, Board member at Pacific Hackers and is a speaker at DEFCON. He describes himself as, "A professional troublemaker who loves hacking all the things."



​ Starts August 11, 2023 14:00 Ends August 11, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Sam Bowne, Elizabeth Biddlecome,Kaitlyn Handelman, Irvin Lemus – Introduction to Exploit Development

Workshop DC Forum Page


Title: Sam Bowne, Elizabeth Biddlecome, Kaitlyn Handelman, Irvin Lemus – Introduction to Exploit Development

Scheduled Date and Time (Pacific Standard): Saturday, August 12, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/sam-bow…=oddtdtcreator

Max Class Size: 90




Abstract:

Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits including buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions.

We will exploit 32-bit and 64-bit Intel and ARM systems, and software in PHP, Python, C++, and DOT NET. We will examine modern Windows defenses in detail, including ASLR, DEP, stack cookies, and SEHOP. We will also write Rust programs and see how they prevent memory corruption vulnerabilities.

Previous experience with C and assembly language is helpful but not required. Participants will need a laptop that can run VMware or VirtualBox virtual machines.

All materials and challenges are freely available at samsclass.info, and will remain available after the workshop ends.




Skill Level: Intermediate

Prerequisites for students: Familiarity with C programming and assembly language is helpful, but not essential.




Materials or Equipment students will need to bring to participate: A laptop capable of running a virtual machine in VMware or VirtualBox.




Bios:

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000, and is the founder of Infosec Decoded, Inc. He has given talks and hands-on trainings at Black Hat USA, RSA, DEF CON, DEF CON China, HOPE, and many other conferences.

Credentials: PhD, CISSP, DEF CON Black Badge Co-Winner




Elizabeth Biddlecome is a consultant and instructor, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.




Kaitlyn Handelman is an offensive security engineer at Amazon. Her focus is cybersecurity in space. In addition to traditional penetration testing, Kaitlyn works on physical devices and RF signals. In her free time, she enjoys ham radio, astronomy, and her cat, Astrocat.




Irvin Lemus, CISSP is a Cyber Range Engineer at By Light IT Professional Services, training military personnel through international cyber security exercises. Irvin has been in the field

since 2006, involved with cybersecurity competitions since 2015 as a trainer, coach, and mentor. He also has taught IT and Cybersecurity courses at Coastline and Cabrillo

Colleges. He is the BACCC Cyber Competitions Regional Coordinator, Board member at Pacific Hackers and is a speaker at DEFCON. He describes himself as, "A professional troublemaker who loves hacking all the things."



​ Starts August 12, 2023 14:00 Ends August 12, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Sergei Frankoff, Sean Wilson – Applied Emulation – A Practical Approach to Emulating Malware

Workshop DC Forum Page


Title: Sergei Frankoff, Sean Wilson – Applied Emulation – A Practical Approach to Emulating Malware

Scheduled Date and Time (Pacific Standard): Thursday, August 10, 2023, at 0900 PDT

EventBrite Link: https://www.eventbrite.com/e/sergei-…=oddtdtcreator

Max Class Size: 50




Abstract:

Binary emulation is now a must-have tool for malware analysts. With a few lines of Python you can unpack binaries, skip analysis of complex algorithms, and automatically extract the configuration data from malware! It’s not too good to be true, but there is a little preparation work involved…

In this workshop you will set up your own emulation environment (using Python) and work through a series of common malware analysis tasks such as unpacking, and malware configuration extraction. The workshop starts simple using Unicorn to emulate x86 shellcode, and builds to a final project where syscall hooking is used with Dumpulator to automatically extract C2s from malware.

This workshop is aimed at malware analysts and reverse engineers who are interested in learning more about emulation and how it can be used to automate some reverse engineering workflows. Students must be able to write basic Python scripts, and have a working knowledge of the Windows OS. Familiarity with Windows malware, assembly, and debugging are strongly recommended. If you have opened malware in a debugger before you will feel right at home here.

You will be provided with detailed virtual machine setup instructions prior to the workshop. Please make sure to bring a laptop that meets the following requirements.

– Your laptop must have VirtualBox or VMWare installed and working prior to the start of the course.

– Your laptop must have at least 60GB of disk space free.

– Your laptop must also be able to mount USB storage devices. (Make sure you have the appropriate dongle if you need one.)




Skill Level: Intermediate

Prerequisites for students: Students must be able to write basic Python scripts and have a basic understanding of the Windows operating system. Familiarity with a Windows malware, debugging, and assembly would also be a significant benefit.




Materials or Equipment students will need to bring to participate: Students must bring a laptop capable of running a Windows virtual machine with the following configuration. Time will be given to troubleshoot lab setup issues but it is strongly recommended that students have the following setup prior to the workshop.




[Host Setup]

– The laptop must have VirtualBox or VMWare installed and working prior to class.

– The laptop must have at least 60GB of disk space free.

– The laptop must be able to mount USB storage devices (ensure you have the appropriate dongle if you need one).




[ VM Install ]

– Download a free Windows 11 VM from Microsoft ( https://developer.microsoft.com/en-u…tual-machines/ )

– You can also use a Windows VM of your choice (Windows 10 is also ok)




[ VM Install for Mac – Apple Silicon Only (M1, M2)]

– If you have a new Apple Silicon MacBook you will are limited to running an ARM Windows VM

– ARM Windows VMs are suitable for the workshop and you can follow our installation guide on YouTube ( https://youtu.be/0eR8yrDLV5M )




[VM Setup]

– Install x64dbg in your VM ( https://x64dbg.com/ )

– Install a free version of IDA in your VM ( https://hex-rays.com/ida-free/ )

– Install a version of Python > 3.8.x in your VM ( https://www.python.org/ )




Bios:

Sergei is a co-founder of OpenAnalysis Inc. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis, and producing tutorials for the OALABS YouTube channel. With over a decade in the security industry Sergei has extensive experience working at the intersection of incident response and threat intelligence.




Sean, a co-founder of OpenAnalysis Inc., splits his time between reverse engineering, tracking malware and building automated malware analysis systems. Sean brings over a decade of experience working in a number of incident response, malware analysis and reverse engineering roles.
​ Starts August 10, 2023 09:00 Ends August 10, 2023 13:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Wes McGrew – The Joy of Reverse Engineering: Learning With Ghidra and WinDbg

Workshop DC Forum Page


Title: Wes McGrew – The Joy of Reverse Engineering: Learning With Ghidra and WinDbg

Scheduled Date and Time (Pacific Standard): Saturday, August 12, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/wes-mcg…s-668400352447

Max Class Size: 80




Abstract:

While it can be intimidating to "get into" software reverse engineering (RE), it can be very rewarding. Reverse engineering skills will serve you well in malicious software analysis, vulnerability discovery, exploit development, bypassing host-based protection, and in approaching many other interesting and useful problems in hacking. Being able to study how software works, without source code or documentation, will give you the confidence that there is nothing about a computer system you can’t understand, if you simply apply enough time and effort. Beyond all of this: it’s fun. Every malicious program becomes a new and interesting puzzle to "solve".

The purpose of this workshop is to introduce software reverse engineering to the attendees, using static and dynamic techniques with the Ghidra disassembler and WinDbg debugger. No prior experience in reverse engineering is necessary. There will be few slides–concepts and techniques will be illustrated within the Ghidra and WinDbg environments, and attendees can follow along with their own laptops and virtual environments. We will cover the following topics:

– Software Reverse Engineering concepts and terminology

– Setting up WinDbg and Ghidra

– The execution environment (CPU, Virtual Memory, Linking and Loading)

– C constructs, as seen in disassembled code

– Combining static and dynamic analysis to understand and document compiled binary code

– Methodology and approaches for reverse engineering large programs

– Hands-on malware analysis

– How to approach a "new-to-you" architecture




Skill Level: Beginner

Prerequisites for students: No previous reverse engineering experience required. Basic familiarity with programming in a high-level language is necessary (C preferred, Scripting languages like Python would be okay).




Materials or Equipment students will need to bring to participate: A laptop with a fresh Windows 10 Virtual Machine.

– Being able to dedicate 8GB RAM to the VM (meaning, you probably have 16GB in your laptop) will make the experience smoother, but you can get by with 4GB

– 10 GB storage free in the VM (after installing Windows)

– Administrative privileges

– Ability to copy exercise files from USB

We will be working with live malware samples. Depending on your comfort level with this, bring a "burner" laptop, use a clean drive, or plan on doing a clean install before and after the workshop.




Bio:

Dr. Wesley McGrew directs research, development, and offensive cyber operations as Senior Cybersecurity Fellow for MartinFed. He has presented on topics of penetration testing and and malware analysis at DEF CON and Black Hat USA and taught a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.
​ Starts August 12, 2023 14:00 Ends August 12, 2023 18:00 Location Las Vegas, NV, DEF CON 31


Sold Out – Yoann DEQUEKER – Malware development on secured environment – Write, adapt, overcome

Workshop DC Forum Page


Title: Yoann DEQUEKER – Malware development on secured environment – Write, adapt, overcome

Scheduled Date and Time (Pacific Standard): Friday, August 11, 2023, at 1400 PDT

EventBrite Link: https://www.eventbrite.com/e/yoann-d…=oddtdtcreator

Max Class Size: 35




Abstract:

This workshop will give an initiation to offensive malware development in C/C++ and how it is possible to adapt the approach depending on the security solution that must be tackled down. Different methods such as ModuleStomping, DLL Injection, Threadless Injection and Hardware Breakpoint for dehooking will be seen.

The idea is to start with a basic malware performing process injection and apply additional techniques to start evading EDR. At each step, some analysis on the malware will be performed to understand the differences at the system level and the IOC detected by the EDR.

At the end of this workshop, you will have all the knowledge needed to develop your own malware and adapt it to the targeted environment to escape from the basic pattern and spawn your beacons as if EDR didn’t exist.




Skill Level: Intermediate

Prerequisites for students: Some basic C/C++ knowledge and an entry level skills on Windows OS.




Materials or Equipment students will need to bring to participate: A Computer with VisualStudio Community or an equivalent compiler, WinDBG and a Windows System (Virtual machine might be better)




Bio:

Yoann Dequeker is a red team operator at Wavestone for 4 years entitled with OSCP certification and several HTB RedTeam Prolabs. Aside from his different RedTeam operations against CAC40 companies leading him to develop several custom malware to evade EDR to ease C2 beacon deployment or phishing campaigns, he speaks at conferences such as LeHack as a Malware Development speaker and is actively sharing his knowledge on social media under the OtterHacker pseudonym.

Beside his contribution to opensource project such as the implementation of TDO secret extraction on Impacket, he spends time playing with several EDR to understand the pros and cons of the different malware development techniques in order to craft and use the payload the most adapted to the targeted environment.
​ Starts August 11, 2023 14:00 Ends August 11, 2023 18:00 Location Las Vegas, NV, DEF CON 31